π οΈ Step-by-Step: Setting Up an Active Directory Domain Services (AD DS) Server
β οΈ Educational & Authorized Use Only
This guide is intended for system administrators, students, and security professionals deploying Active Directory in authorized environments.
This guide is intended for system administrators, students, and security professionals deploying Active Directory in authorized environments.
β Prerequisites Before Installing AD DS
- β Windows Server (2016 / 2019 / 2022 / 2025)
- β Static IP address configured
- β Updated system & security patches
- β Correct system time & timezone
- β Sufficient disk space (NTDS & SYSVOL)
π‘ Domain Controllers should never use DHCP IPs.
β¬οΈ How to Download Windows Server ISO (2016 / 2019 / 2022 / 2025)
Before installing Active Directory Domain Services, you must obtain a legitimate Windows Server ISO image. Microsoft provides official evaluation ISOs suitable for learning, lab environments, and enterprise testing.
π‘ Evaluation editions are fully functional for 180 days
and can later be converted to licensed versions without reinstallation.
π ΎοΈ Option 1: Download via Microsoft Evaluation Center
-
Visit Microsoft Evaluation Center:
https://www.microsoft.com/evalcenter - Select Windows Server
- Choose version: 2016 / 2019 / 2022
- Select ISO download
- Fill in required evaluation details
π‘ This option is useful if you want to explore all available Microsoft server evaluations.
π ΎοΈ Option 2: Direct Official ISO Download Links
-
Windows Server 2016
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2016 -
Windows Server 2019
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2019 -
Windows Server 2022
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2022 -
Windows Server 2025
https://www.microsoft.com/en-us/evalcenter/download-windows-server-2025
β‘ This option is faster if you already know the exact version you need.
π¦ Recommended Editions for AD DS Labs
- β Windows Server Standard (Desktop Experience)
- β Windows Server Datacenter (Desktop Experience)
β οΈ Important:
Always choose Desktop Experience (GUI) when learning Active Directory Domain Services. Server Core is recommended only for advanced administrators.
Always choose Desktop Experience (GUI) when learning Active Directory Domain Services. Server Core is recommended only for advanced administrators.
π₯οΈ Installing Windows Server Using VMware (Complete Lab Setup)
VMware allows you to safely deploy Active Directory inside an isolated lab environment without affecting your physical system.
πΉ Step 1: Install VMware Workstation
- β Download VMware Workstation Player or Pro
- β Supported on Windows & Linux
- β Install with default settings
π‘ VMware Player is sufficient for AD labs.
VMware Pro adds snapshots & advanced networking.
πΉ Step 2: Create New Virtual Machine
- Open VMware Workstation
- Click Create a New Virtual Machine
- Select Typical (Recommended) β Next
- Choose I will install the operating system later
- Guest OS: Microsoft Windows
- Version: Windows Server 2016
- VM Name: WIN2016
- Disk Size: 60 GB
- Select Split disk into multiple files
- Click Finish
πΉ Step 2.1: Virtual Hardware Configuration (Recommended)
| Component | Recommended Value |
|---|---|
| CPU | 2 vCPUs (Minimum) |
| Memory | 4β8 GB RAM |
| Disk | 80β100 GB (Single disk) |
| Network | NAT (Default) or Host-Only |
β οΈ Avoid Bridged networking unless required.
NAT or Host-Only is safer for AD labs.
πΉ Step 3: Attach Windows Server ISO
- Select VM β Edit virtual machine settings
- Click CD/DVD (SATA)
- Enable Connect at power on
- Select Use ISO image file
- Browse & select Windows Server 2016 ISO
- Click OK
πΉ Step 4: Start Windows Installation
- Click Power on this virtual machine
- Windows Setup loads automatically
- Select Language, Time & Keyboard
- Click Install Now
πΉ Step 5: Select Windows Server Edition
- Select Windows Server 2016 Standard Evaluation (Desktop Experience)
- Desktop Experience provides GUI required for AD labs
- Click Next
πΉ Step 6: Select Installation Type
- Choose Custom: Install Windows only (advanced)
- Click Next
πΉ Step 7: Disk Selection
- Select Drive 0 Unallocated Space
- Click Next
πΉ Step 8: Configure Administrator Password
- System installs & reboots automatically
- Enter strong Administrator password
- Re-enter password β Finish
Strong password is mandatory for Domain Controller promotion.
πΉ Step 9: Login to Server
- Click inside VM window
- VM β Send Ctrl + Alt + Del
- Login as Administrator
π‘ Before installing AD DS, ensure the server has a static IPv4 address
configured and DNS points to itself (127.0.0.1 or server IP).
πΉ Step 10: Server Manager Dashboard
- Server Manager opens automatically
- Click Add roles and features
πΉ Step 11: Add Roles & Features Wizard
- Review Before you begin
- Click Next
- Select Role-based or feature-based installation
- Click Next
- Select Local Server
- Click Next
πΉ Step 11.1: Take Snapshot Before AD DS Installation
- Power off the virtual machine
- Create a VMware snapshot
- Name it Pre-AD DS Install
- Ensures safe rollback if promotion fails
π¨ Never promote a Domain Controller without a snapshot.
πΉ Step 12: Install Active Directory Domain Services (AD DS)
- Check Active Directory Domain Services
- Click Add Features
- Click Next through Features
- Click Install
Always take a VM snapshot before promoting Domain Controller.
πΉ Step 13: Promote to Domain Controller
- Click Promote this server to a domain controller
- Select Add a new forest
- Root domain name: NotesTime.local
- Forest & Domain level: Windows Server 2016
- Ensure DNS Server & Global Catalog checked
- Enter DSRM password
- Leave DNS delegation unchecked
- NetBIOS name: NOTESTIME
- Keep default database & SYSVOL paths
- Run Prerequisites Check
- Click Install
πΉ Step 14: Automatic Reboot
- Server displays You're about to be signed out
- System reboots automatically
- Domain Controller promotion completes
πΉ Step 15: Login as Domain Administrator
- Press Ctrl + Alt + Del
- Login as NOTESTIME\Administrator
πΉ Step 16: Verify Active Directory Tools
- Open Start Menu
- Navigate to Windows Administrative Tools
- Confirm availability of:
- β Active Directory Users and Computers
- β Active Directory Domains and Trusts
- β Active Directory Sites and Services
- β DNS Manager
ποΈ Managing Active Directory Objects (OU, Users, Groups & Computers)
Active Directory organizes resources using logical objects. Understanding how to create and manage these objects is essential for administration, security, and Group Policy enforcement.
π Organizational Unit (OU)
An Organizational Unit (OU) is a container used to organize users, groups, computers, and other OUs within a domain. OUs are primarily used for delegation and Group Policy application.
- β Logical organization of AD objects
- β Enables Group Policy targeting
- β Supports administrative delegation
π οΈ How to Create an OU
- Open Active Directory Users and Computers
- Right-click the domain (
NotesTime.local) - Select New β Organizational Unit
- Enter OU name (e.g. IT, HR)
- Click OK
π€ User Object
A User object represents an individual identity used to log in, access resources, and receive permissions within the domain.
- β Used for authentication
- β Assigned permissions via groups
- β Controlled by Group Policies
π οΈ How to Create a User
- Open Active Directory Users and Computers
- Navigate to desired OU
- Right-click β New β User
- Enter name, username (e.g.
jdoe) - Set password and account options
- Click Finish
ποΈ How to Delete a User
Deleting a user permanently removes the account from Active Directory. This action should be performed carefully, especially in production environments.
- β οΈ Ensure the user account is no longer required
- β οΈ Disable the account first (recommended best practice)
- β οΈ Confirm no critical services depend on the account
π οΈ Step-by-Step: Delete a User Account
- Open Active Directory Users and Computers
- Navigate to the appropriate Organizational Unit (OU)
-
Locate the user account (e.g.
jdoe) - Right-click the user β Select Delete
- Click Yes to confirm deletion
β οΈ Deleted users can be restored only if Active Directory Recycle Bin is enabled.
π Recommended Enterprise Practice
- β Step 1: Disable the account
- β Step 2: Remove from all security groups
- β Step 3: Wait 30β90 days (grace period)
- β Step 4: Then permanently delete
π‘ In enterprise environments, immediate deletion is discouraged.
Account disablement provides auditing and rollback capability.
π’ Managing Multiple Users in an OU & Assigning an Administrator
An Organizational Unit (OU) can contain multiple user accounts. You can assign administrative privileges to a specific user either at the domain level or only for a specific OU.
π₯ Example Scenario
- OU Name: IT
- Users inside OU: Rahul, Priya, Amit
- Requirement: Assign Rahul as IT Administrator
πΉ Method 1: Assign Domain Administrator (Full Control β Not Recommended for OU Only)
- Open Active Directory Users and Computers
- Navigate to Users container
- Double-click Domain Admins group
- Click Add
- Add user (e.g. Rahul)
- Click OK
π¨ This gives full domain administrative privileges. Use only if absolutely required.
πΉ Method 2: Delegate Control on Specific OU (Recommended Enterprise Method)
This method gives administrative control only over a specific OU, not the entire domain.
- Right-click the OU (e.g. IT)
- Select Delegate Control
- Click Next
- Click Add β Select user (e.g. Rahul)
- Click Next
-
Choose task:
- Create, delete, and manage user accounts
- Reset user passwords
- Modify group membership
- Click Next β Finish
β
Rahul now has administrative control only within the IT OU. He cannot manage other OUs or the entire domain.
π Enterprise Best Practice
- β Never assign users directly to Domain Admins unless necessary
- β Use OU-level delegation instead
- β Follow Least Privilege Principle
- β Use separate admin accounts (e.g. rahul.admin)
π‘ Large organizations use Role-Based Access Control (RBAC) and delegate administration per department.
π₯ Group Object
A Group object is used to assign permissions to multiple users or computers at once. This simplifies access management.
- β Centralized permission management
- β Users added to groups inherit access
- β Reduces administrative overhead
π οΈ How to Create a Group
- Right-click desired OU
- Select New β Group
- Enter group name (e.g. IT-Admins)
- Group scope: Global
- Group type: Security
- Click OK
π‘ Best practice: Assign permissions to groups, not individual users.
π» Computer Object
A Computer object represents a machine that is joined to the Active Directory domain.
- β Represents domain-joined systems
- β Receives computer-based Group Policies
- β Used for access control and auditing
π οΈ How to Create a Computer Object
- Open Active Directory Users and Computers
- Right-click desired OU
- Select New β Computer
- Enter computer name (e.g. WIN10-CLIENT)
- Click OK
β οΈ Computer objects are also created automatically when a machine joins the domain.
β Best Practices for AD Object Management
- β Use OUs instead of default containers
- β Separate users, computers, and servers
- β Use groups for permissions (AGDLP model)
- β Apply GPOs at OU level
π‘οΈ How to Create a Group Policy (GPO) β Step by Step
Group Policy allows administrators to centrally manage user and computer settings across the domain. GPOs are usually linked to an Organizational Unit (OU).
π‘ Best Practice: Always link GPOs to OUs β not directly to the domain β unless required.
πΉ Example Scenario
- OU Name: IT
- Requirement: Disable Control Panel for IT users
π οΈ Step 1: Open Group Policy Management
- Click Start
- Open Server Manager
- Go to Tools
- Select Group Policy Management
π οΈ Step 2: Create New GPO
- Expand your domain (e.g.
NotesTime.local) - Right-click the target OU (e.g. IT)
- Select Create a GPO in this domain, and Link it here
- Enter GPO Name (e.g. IT-ControlPanel-Restriction)
- Click OK
π οΈ Step 3: Edit the GPO
- Right-click the newly created GPO
- Select Edit
-
Navigate to:
User Configuration β Administrative Templates β Control Panel - Double-click Prohibit access to Control Panel and PC settings
- Select Enabled
- Click Apply β OK
π οΈ Step 4: Apply & Verify Policy
- Login to a user inside IT OU
- Open Command Prompt
- Run command:
gpupdate /force - Test if Control Panel access is restricted
β
The Group Policy is now active for users inside the IT OU.
π Enterprise Best Practices for GPO
- β Never edit Default Domain Policy unless necessary
- β Use descriptive naming for GPOs
- β Test GPOs in lab before production
- β Avoid linking too many GPOs to one OU
- β Document every policy change
β οΈ Misconfigured Group Policy can lock out users or break systems. Always test before deployment.
π» How to Add (Join) a Computer to Active Directory β Real-World Enterprise Steps
In real enterprise environments, computers are joined to the domain to enable centralized authentication, Group Policy enforcement, security control, and auditing.
π‘ When a computer joins the domain, a Computer Object is automatically created in Active Directory.
πΉ Real-World Scenario
- Domain Name: NotesTime.local
- Client OS: Windows 10 / Windows 11
- OU Target: Workstations
- IT Admin performing domain join
π οΈ Step 1: Pre-Join Requirements (Very Important)
- β Client must use Domain Controller DNS IP
- β Network connectivity to Domain Controller
- β Correct date & time (Kerberos requirement)
- β Domain credentials (Domain Admin or delegated account)
β οΈ If DNS is incorrect, domain join will fail. Client must point to the Domain Controller as DNS server.
π οΈ Step 2: Configure DNS on Client Machine
- Open Network Settings
- Go to Adapter Options
- Right-click β Properties
- Select Internet Protocol Version 4 (TCP/IPv4)
- Set Preferred DNS to Domain Controller IP (e.g. 192.168.1.10)
- Click OK
π οΈ Step 3: Join Computer to Domain
- Right-click This PC β Select Properties
- Click Advanced system settings
- Under Computer Name tab β Click Change
- Select Domain
- Enter domain name:
NotesTime.local - Click OK
- Enter Domain Admin credentials
- Click OK
β
Welcome to the NotesTime.local domain.
π οΈ Step 4: Restart Computer
- System will prompt for restart
- Click Restart Now
π οΈ Step 5: Login Using Domain Account
- Press Ctrl + Alt + Del
- Click Other User
- Login using:
NOTESTIME\username
π οΈ Step 6: Move Computer to Correct OU (Important in Enterprise)
- Open Active Directory Users and Computers
- Locate computer in Computers container
- Right-click β Move
- Select appropriate OU (e.g. Workstations)
- Click OK
π‘ In enterprise environments, computers should never remain in the default "Computers" container.
π Real-World Enterprise Best Practices
- β Use delegated accounts for domain join
- β Use naming standards (e.g. HR-WS-001)
- β Join computers directly into correct OU (via PowerShell or imaging tools)
- β Apply baseline security GPO immediately
- β Monitor domain join events in Event Viewer
β οΈ Unauthorized domain join can expose enterprise network risks. Always restrict who can join machines to the domain.
π§ͺ AD Lab Best Practices (Professional)
- β Windows Server Installed
- β Active Directory Domain Services Installed
- β Domain Controller Promoted
- β DNS Configured Automatically
- β AD Administrative Tools Available
π‘ A well-designed lab closely mirrors real enterprise AD environments.
π Final Enterprise Takeaways
- β AD DS setup defines enterprise security posture
- β DNS, Kerberos, and time sync are critical
- β Misconfiguration is the primary risk
- β Hardening must follow installation immediately
- β Continuous monitoring is mandatory
β
A well-designed Active Directory
dramatically reduces breach impact and recovery time.
